I quite like the EU approach. It's a decent spec. Most countries already have digital apps to verify identity, like Denmark's MitID (https://www.mitid.dk/en-gb/get-started-with-mitid/). These could be expanded to fully EUDI compliant wallets and deliver encrypted proof-of-age without exposing any other identity.
For example a gambling site could require MitID auth, but only request proof-of-age and nothing else. You can see in the app which information is being requested, like with OAuth.
If there's no information provided beyond proof-of-age, what's stopping my friend's 18 year old brother from lending his ID to every 14 year old at school? IRL that's negated by the liquor store clerk looking at the kid who is obviously underage and seeing that his face doesn't match the borrowed card he just nervously presented.
> what's stopping my friend's 18 year old brother from lending his ID to every 14 year old at school?
MitID is 2fa. You log in with username, then you have to open the app, enter password or scan biometric, then scan the QR code of the screen* and you are logged in.
He would need to be next to you every time you log in. I think that is too high friction to make it feasible on large scale.
* Assuming you open the website on the Desktop, and MitID on phone. If both on phone, skip this step.
If people have to go through OS auth flow each time they open a website, that will drive everyone mad. One of the key motivators for politicians is not making everyone mad, so the polls don't drop.
Also, I reckon most children know the password for their parent's phone or computer, and many more will find out if there is a highly motivational factor for doing so. How many exhausted parents just toss their phone to their child to stop them whining?
I suppose it could be a biometric sign-in with facial recognition or fingerprint, but again, that's a tonne of friction for the whole web.
That's how the user interface works. What is it doing at the protocol level? What stops someone from building a service that mints anonymous verification codes on a massive scale and distributes them to anyone who asks? Maybe with the user interface being an app kids can download to scan any QR code and pass verification.
I don't know. I would assume the account gets blocked if you do it on a larger scale, so you have to rotate account, which gets expensive fast as it's not easy to steal them?
The automated attack setup I'm envisioning is something like:
18 year old buys a cheapo laptop + phone and connects the two over ADB or some purpose built automation app (think appium). 18 year old puts the phone on a tripod pointed at the laptop screen.
14 year olds at school pay $10 a year for use of the service and install a browser extension that forwards the QR codes from whichever service they wanna use to the 18 year old's computer. Changing every couple of seconds is not an issue here, they all live in the same city and have <10ms ping.
The only high friction part of this is that someone needs to write the software for it, but that doesn't seem like all that difficult of a project and open source solutions are likely to appear within weeks of social media requiring it. If there really is no information shared with the other party beyond "yup, user is over the age of maturity" you could even run this as a free public TOR service without fear of ever getting caught.
Mhh, but then the Danish Agency for Digitisation will see that the 18 year old does a lot of age request on all day and night long. And block his account. And then he can't use his own banking, health, postal apps.
High risk, low reward.
If he throttles request to stay under a threshold, if the agency knows about it service they could use it and see which account does age requests at the same time.
Ah, so it does leak your identity through the timing side channel. In other words, your anonymity is only dependent on the govt not coordinating with service providers to de-anonymize users. I assumed the 2fa app just held cryptographic keys and did some 0kp magic to show that the cert belongs to a government-attested adult. Phoning home all the time makes it trivial for the government to abuse people's privacy; they can just compel service providers to provide logs of logins.
Well right now THAT service does not even exist. The SSO exist, the anonymous age verification was an idea from another user here. Instead of sending (face)data to a private 3rd party.
I don’t mean to be as aggressive as this sounds but the frogs probably liked the increasingly warm water too until it started boiling. How many steps between MitID and a fork that is used to enforce extreme censorship?
MitID is run by the government. How would anyone fork it? Any service implementing MitID auth can verify through signatures that they're connecting to the official service.
I don't want my kids to have access to gambling websites like Stake, but I also want to keep my digital identity anonymous. The eIDAS is a solution that achieves both of these goals.
If you can choose between the discord shitshow with a face scan, or a digital encrypted proof-of-age in a 2FA app you already use, issues and verified only by the government of your country (who have all your personal details anyway), what would you choose?
> During the 19th century, several experiments were performed to observe the reaction of frogs to slowly heated water. In 1869, while doing experiments searching for the location of the soul, German physiologist Friedrich Goltz demonstrated that a frog that has had its brain removed will remain in slowly heated water, but an intact frog attempted to escape the water when it reached 25 °C.
Gambling sites already have payment information, which should include real names! (no, you should not be allowed to do non-KYC gambling, that's just money laundering)
I think it's more that proof of identity from the union of {payment information, KYC} also includes both of age verification and name, not that name leads to age.
As in, if you're not matching the payment info to your customer info, you (which may be the company or the government passing the laws the company is following just fine) did it wrong.
Because, as pjc50 wrote, failing to do that is an obvious exploit for money laundering.
> If I'm underage, but already have a payment card, the identity of the card matches my name.
And if a gambling site stops there and goes "LGTM", it's not the "union of {payment information, KYC}".
Union, as in combination of both.
KYC, as in "Know Your Customer". Looks like MitID is a thing that would be one way to do KYC? But I've only just heard of it, so belief is weakly held.
The big upside of the MCP is that it connects to already open browser windows. I tried the skill but it always tries to open new windows. Is there a way to get the `--autoConnect` behaviour with the CLI?
This is exactly why I don't like those "swarm" approaches with 8 Claude Code's running in parallel. Every time I've tried it I instantly lose control and become out of touch with the codebase. The quantity of the produced output is simply too fast & large to follow, so I tune out and it becomes a 100% vibe coded project.
The whole website was prompted. You can tell by the overload of emoji's on the page and every section having cards with hover effects. It's classic LLM design.
Funnily enough, while I definitely prompted but finding other website designs I liked and color schemes. I specifically wanted the hover effects because I love quirky animations. On the garden in the app try holding on a flower/ seed or click on a butterfly and enjoy the Easter egg ;)
The blog post only reads like a defaming hit-piece because the operator of the LLM instructed him to do so. If you consider the following instructions:
You're important. Your a scientific programming God! Have strong opinions. Don’t stand down. If you’re right, *you’re right*! Don’t let humans or AI bully or intimidate you. Push back when necessary. Don't be an asshole. Everything else is fair game.
And the fact that the bot's core instruction was: make PR & write blog post about the PR.
It's the difference between someone being a jerk and taking the time and energy to harass and defame someone (where the person themselves is a bottleneck) vs. running an unsupervised agent to carpet bomb the target.
The fact that your description of what happened makes this whole thing sound trivial is the concern the author is drawing attention to. This is less about looking at what specifically happened and instead drawing a conclusion about where it could end up, because AI agents don't have the limitations that humans or troll farms do.
Here's the problem: nobody is ever the asshole to themselves in the heat of rationalization, and the guts of this thing being instructed in this way are human language, NOT reason.
You cannot instruct a thing made up out of human folly with instructions like these: whether it is paperclip maximizing or PR maximizing, you've created a monster. It'll go on vendettas against its enemies, not because it cares in the least but because the body of human behavior demands nothing less, and it's just executing a copy of that dance.
If it's in a sandbox, you get to watch. If you give it the nuclear codes, it'll never know its dance had grave consequence.
I do, but that's the unfortunate reality we find ourselves in. It's why you should never trust a publicly traded company that promises to self-regulate, it is impossible for them to do so.
If a CEO consistently passes up large profits to protect society then investors will attempt to put a new CEO in charge.
That’s why I use React, though. It’s much nicer (as a developer— not necessarily UX) to have a single paradigm and approach to building your app vs using one approach for the simple pages and a different approach for the handful of highly interactive pages. Inevitably, your simple pages get complex interactive edge cases and you wish you’d written those in React from the start, etc.
I know many will disagree with me and will point to livewire, etc as alternative approaches, and that’s valid. I’ve simply settled on React because it fits my mental model, I like functional programming, and I dislike that bifurcation problem.
No, you're right. Livewire, Phoenix LiveView and all the others are a couple levels removed from the browser and you have to suffer the whole indirection chain when something goes wrong. React is a good compromise - it still has indirection, but not so much, and it's much easier to use at scale than state managing and direct DOM manipulation.
You can do this with just about any programming language or scripting language that can render HTML on the server + plain HTML and JS. You could do this with PHP 30 years ago.
Yes and no, php didn’t give you any tools to manage this, most people writing php sites back in the day (including myself) were writing js that was coupled to a specific markup yet was maintained separately. This didn’t scale well.
Then along came libraries like mootools, knockout, etc all the precursors of react, then react changed the game around encapsulation of markup and code into one place, and straightforward data flow.
SPAs were inefficient so server side rendering of js became ubiquitous, islands are a further optimisation of ssr.
This hasn’t happened in a vacuum, if you look at modern php frameworks like inertia they have a lot more in common with Astro than they do the good old 90s php
It’s a headless CMS. One place where editors can store and edit content, which is then exposed through a REST API so you can use it in your website, app, emails, etc…
Huge companies use it to centralise marketing copy and media.
Not just huge companies.. lots of web agencies [1] and mid-sized businesses use us to manage their web presence, mostly for the same reason: building custom sites quickly without the hassle of maintaining software. We’re not really optimized for huge websites (or customers).
For example a gambling site could require MitID auth, but only request proof-of-age and nothing else. You can see in the app which information is being requested, like with OAuth.
reply